b'           ASSESSMENT REPORT\n                 11-08\n\n\n\n      ASSESSMENT OF GPO\xe2\x80\x99S PUBLIC KEY\nINFRASTRUCTURE CERTIFICATION AUTHORITY \xe2\x80\x93\n           ATTESTATION REPORT\n\n\n            September 30, 2011\n\x0cDate\nSeptember 30, 2011\nTo\nChief Information Officer\nFrom\nAssistant Inspector General for Audits and Inspections\nSubject\nWebTrust Assessment of GPO\xe2\x80\x99s Public Key Infrastructure Certification\nAuthority \xe2\x80\x93 Attestation Report\nReport Number 11-08\n\n\nThe Government Printing Office (GPO) Office of Inspector General (OIG) has\ncompleted the WebTrust assessment of GPO\xe2\x80\x99s Public Key Infrastructure\n(PKI) Certification Authority (CA) for 2011. The purpose of the assessment\nwas to determine whether GPO\xe2\x80\x99s management assertion related to the\nadequacy and effectiveness of controls over its CA operations, is in all\nmaterial respects fairly stated. To conduct the assessment, the OIG\ncontracted with Ernst and Young LLP (E&Y), an independent public\naccounting firm licensed by the American Institute of Certified Public\nAccountants (AICPA) to provide WebTrust assurance services. Management\nof the GPO Certification Authority should be commended for once again\npassing this rigorous assessment.\n\nBackground and Objectives\n\nGPO has implemented a PKI to support its \xe2\x80\x9cborn digital and published to the\nweb\xe2\x80\x9d methodology to meet GPO customer expectations of being official and\nauthentic. The GPO PKI also directly supports GPO\xe2\x80\x99s mission related to\nelectronic information dissemination and e\xe2\x80\x90Government. The GPO CA\nissues, signs and manages the public key certificates in secure facilities\nbased in Washington, D.C. The GPO PKI is cross\xe2\x80\x90certified with the Federal\nBridge Certificate Authority (FBCA). FBCA certification provisions require\nthe GPO PKI to undergo a compliance review 1. To satisfy this compliance\nrequirement, the OIG tasked E&Y to conduct a WebTrust assessment of its\n\n\n1Compliancereview requirements can be found at\n(http://www.idmanagement.gov/fpkipa/documents/audit_guidance.pdf)\n\x0cCA. The assessment was conducted in accordance with the AICPA\xe2\x80\x99s\nWebTrust Principles and Criteria for Certificate Authorities and Statement\non Standards for Attestation Engagements (SSAE) Number 10. The\nassessment represents an evaluation of whether GPO\xe2\x80\x99s assertion related to\nthe adequacy and effectiveness of controls over its CA operations is fairly\nstated based on underlying principles and evaluation criteria.\n\nThe scope of the assessment included the following entities involved with\noperating the GPO CA:\n\n   \xe2\x80\xa2   CA Policies and Procedures;\n   \xe2\x80\xa2   Registration Authorities;\n   \xe2\x80\xa2   Certification Authorities and Repository; and\n   \xe2\x80\xa2   CA Supporting Systems, Databases and PKI facilities.\n\nThe assessment also measured the GPO CA\xe2\x80\x99s compliance with reporting\nrequirements of the Federal Public Key Infrastructure Policy Authority\n(FPKIPA).\n\nAs a result of work performed, E&Y issued two Attestation Reports\n(enclosures) which express their unqualified opinion that (1) GPO\nmanagement\xe2\x80\x99s assertion related to the adequacy and effectiveness of\ncontrols over its CA operations is, in all material respects, fairly stated based\non the AICPA WebTrust for Certification Authorities Criteria, and (2) GPO\nmanagement\xe2\x80\x99s assertion related to its CA operations compliance with the\nrequirements of the FPKIPA is fairly stated in all material respects.\n\nE&Y also issued a Letter of Supplementary Information to address additional\nFPKIPA reporting requirements. E&Y provided the means to display the\nreport electronically as appropriate with access via GPO\xe2\x80\x99s designated\nwebsite through an E&Y branded WebTrust seal for a period of 12 calendar\nmonths from issuance and for a longer period upon E&Y\xe2\x80\x99s prior written\nconsent. GPO should implement the seal as a hyperlink to the assertion and\nattestation report maintained on the AICPA\xe2\x80\x99s secure server, to a Universal\nResource Locator provided by E&Y. GPO may also, at its discretion, provide\na brief narrative and hyperlinks to the assertion and report on the AICPA\nserver, as approved by E&Y. GPO may display the seal on one or more web\npages within the noted GPO domains at its discretion. The seal and the\nreport may not be used on websites or in other ways not expressly\npermitted by Ernst and Young.\n\nThe two enclosed Attestation Reports cover the period July 1, 2010 through\nJune 30, 2011. Upon direction by the OIG, E&Y will perform future\nexamination procedures to support the issuance of updated reports. The\ntiming of such updates depends on factors such as the amount of change that\n\n\n\n                                        ii\n\x0chas occurred since the last update. Subsequent reports must cover a\ncontinuous representation period (i.e. commencing either on the beginning\nor ending date of the prior report) of up to 12 months.\n\nIn the event of material changes to GPO\xe2\x80\x99s CA system, additional assessment\nprocedures may be required to determine whether GPO continues to meet\nthe WebTrust for CA criteria and to issue an updated assessment report. If\nadditional assessment procedures are required but not performed, E&Y has\nthe option of declaring that the GPO no longer meets the WebTrust for CA\ncriteria and GPO would forfeit the right to display the electronic WebTrust\nSeal. Therefore, please notify the OIG in advance in the event that GPO\nmakes material changes to its CA system, including changes to controls,\ninformation handling practices, or disclosures; in the manner in which\nGPO complies with the WebTrust for CA criteria, in the nature of the\nproducts, information, or services offered; or changes in the systems\nused to support the GPO CA.\n\nThe report contains no recommendations and therefore we are not\nrequesting a management response. The final report distribution is in the\nAppendix to this report. If you have any questions concerning the report or\nthe assessment process, please contact Mr. Brent Melson, Deputy Assistant\nInspector General for Audits and Inspections at (202) 512-2037, or myself at\n(202) 512-2009.\n\n\n\n\nKevin J. Carson\nAssistant Inspector General for Audits and Inspections\n\nEnclosures\n\n\n\n\n                                     iii\n\x0cUS Government\nPrinting Office\nReport of Independent Accountants\n\nWebtrust for CA\n\x0c                                              Table of Contents\n\n\nReport of Independent Accountants ............................................................................. 1\n\nManagement Assertion ................................................................................................ 3\n\x0c                                                                    Ernst & Young LLP\n                                                                    Westpark Corporate Center\n                                                                    8484 Westpark Drive\n                                                                    McLean, VA 22102\n                                                                    Tel: + 1 703 747 1000\n                                                                    Fax: +1 703 747 0100\n                                                                    www.ey.com\n\n\n\n\n                          Report of Independent Accountants\n\nTo the Inspector General of the United States Government\n Printing Office and the Management of the United States\n Government Printing Office Certification Authority (GPO-CA):\n\nWe have examined the assertion by the management of the US Government Printing Office\n(GPO) that in providing its Certification Authority (CA) services known as GPO Public Key\nInfrastructure Certification Authority (GPO-CA) in Washington, DC for the Root CA: GPO-CA\nduring the period from July 1, 2010 through June 30, 2011, GPO-CA has:\n\n    \xef\x82\xa7   Disclosed its key and certificate lifecycle management business and information\n        privacy practices in its Certificate Practices Statement and provided such services in\n        accordance with its disclosed practices, and\n\n    \xef\x82\xa7   Maintained effective controls to provide reasonable assurance that:\n\n         \xe2\x80\x93   Subscriber information was properly authenticated;\n\n         \xe2\x80\x93   The integrity of keys and certificates it managed was established and protected\n             throughout their lifecycles;\n\n         \xe2\x80\x93 Subscriber and relying party information was restricted to authorized individuals\n           and protected from uses not specified in the CA\xe2\x80\x99s business practices disclosure;\n\n         \xe2\x80\x93   The continuity of key and certificate lifecycle management operations was\n             maintained; and\n\n         \xe2\x80\x93   CA systems development, maintenance and operations were properly authorized\n             and performed to maintain CA systems integrity\n\n         based on the AICPA/CICA WebTrust for Certification Authorities Criteria.\n\nGPO-CA\xe2\x80\x99s management is responsible for its assertion. Our responsibility is to express an\nopinion on management\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the\nAmerican Institute of Certified Public Accountants, and accordingly, included (1) obtaining an\nunderstanding of GPO-CA\xe2\x80\x99s key and certificate lifecycle management business and\ninformation privacy practices and its controls over key and certificate integrity, over the\n\n\n\n\n                                                                                                                    1\n                                                                    A member firm of Ernst & Young Global Limited\n\x0cauthenticity and privacy of subscriber and relying party information, over the continuity of\nkey and certificate lifecycle management operations, and over development, maintenance\nand operation of systems integrity; (2) selectively testing transactions executed in\naccordance with disclosed key and certificate lifecycle management business and information\nprivacy practices; (3) testing and evaluating the operating effectiveness of the controls; and\n(4) performing such other procedures as we considered necessary in the circumstances. We\nbelieve that our examination provides a reasonable basis for our opinion.\n\nBecause of inherent limitations in controls, errors or fraud may occur and not be detected.\nFurthermore, the projection of any conclusions, based on our findings, to future periods is\nsubject to the risk that the validity of such conclusions may be altered because of changes\nmade to the system or controls, the failure to make needed changes to the system or\ncontrols, or deterioration in the degree of effectiveness of the controls.\n\nIn our opinion, for the period from July 1, 2010 through June 30, 2011, GPO-CA\nmanagement\xe2\x80\x99s assertion, as set forth in the first paragraph, is fairly stated, in all material\nrespects, based on the AICPA/CICA WebTrust for Certification Authorities criteria.\n\nThe WebTrust seal of assurance for certification authorities on GPO-CA\xe2\x80\x99s website constitutes\na symbolic representation of the contents of this report and it is not intended, nor should it be\nconstrued, to update this report or provide any additional assurance.\n\nThe relative effectiveness and significance of specific controls at GPO-CA and their effect on\nassessments of control risk for subscribers and relying parties are dependent on their\ninteraction with the controls, and other factors present at individual subscriber and relying\nparty locations. We have performed no procedures to evaluate the effectiveness of controls\nat individual subscriber and relying party locations.\n\nThis report does not include any representation as to the quality of GPO-CA\xe2\x80\x99s services beyond\nthose covered by the WebTrust for Certification Authorities Criteria, nor the suitability of any\nof GPO-CA\xe2\x80\x99s services for any customer\xe2\x80\x99s intended purpose.\n\n\n\n\ney\nSeptember 7, 2011\n\n\n\n\n                                                                                                                       2\n                                                                       A member firm of Ernst & Young Global Limited\n\x0c3\n\x0c4\n\x0c5\n\x0cUS Government\nPrinting Office\nReport of Independent Accountants\n\nFederal PKI Compliance Report\n\x0c                                              Table of Contents\n\nReport of Independent Accountants ............................................................................. 1\n\nManagement Assertion ................................................................................................ 2\n\nLetter of Supplementary Information ........................................................................... 4\n\nSummary of Matters Relating to Project Personnel ....................................................... 6\n\x0c                                                                       Ernst & Young LLP\n                                                                       Westpark Corporate Center\n                                                                       8484 Westpark Drive\n                                                                       McLean, VA 22102\n                                                                       Tel: + 1 703 747 1000\n                                                                       Fax: +1 703 747 0100\n                                                                       www.ey.com\n\n\n\n\n                           Report of Independent Accountants\n\n\nWe have examined the assertion, dated September 7, 2011, by the management of the United\nStates Government Printing Office (\xe2\x80\x9cGPO\xe2\x80\x9d), that GPO\xe2\x80\x99s Certification Authority (GPO-CA)\ncomplied with the requirements of its Certificate Policy (CP), Version 1.3.1 dated August 17,\n2009 and its Certificate Practices Statement (CPS) Version 1.7.1 dated June 3, 2011, for the\nperiod July 1, 20010 to June 30, 2011, as well as the requirements of the Federal PKI\nAuthority and all current cross-certification Memorandum of Agreements (MOAs) executed by\nthe GPO-CA with other entities. Management is responsible for GPO\xe2\x80\x99s compliance with those\nrequirements. Our responsibility is to express an opinion on management\xe2\x80\x99s assertion about\nGPO\xe2\x80\x99s compliance based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the\nAmerican Institute of Certified Public Accountants and accordingly, included examining, on a\ntest basis, evidence about GPO-CA\xe2\x80\x99s compliance with those requirements and performing such\nother procedures as we considered necessary in the circumstances. We believe that our\nexamination provides a reasonable basis for our opinion. Our examination does not provide a\nlegal determination on GPO-CA\xe2\x80\x99s compliance with specific requirements.\n\nIn our opinion, for the period from July 1, 2010 through June 30, 2011, GPO-CA\nmanagement\xe2\x80\x99s assertion, as set forth in the first paragraph, is fairly stated, in all material\nrespects.\n\nThis report is intended solely for the information and use of the GPO and the U.S Federal PKI\nPolicy Authority and is not intended to be and should not be used by anyone other than those\nspecified parties.\n\n\n\n\ney\nSeptember 7, 2011\n\n\n\n\n                                                                                                                       1\n                                                                       A member firm of Ernst & Young Global Limited\n\x0c2\n\x0c3\n\x0c                                                                    Ernst & Young LLP\n                                                                    Westpark Corporate Center\n                                                                    8484 Westpark Drive\n                                                                    McLean, VA 22102\n                                                                    Tel: + 1 703 747 1000\n                                                                    Fax: +1 703 747 0100\n                                                                    www.ey.com\n\n\n                                                                    September 7, 2011\n\n\n\n\nLetter of supplementary information\n\nTo the Inspector General of the United States Government Printing Office and the Management of\nthe United States Government Printing Office Certification Authority (GPO-CA):\n\nThis letter provides supplementary information to the examination performed by Ernst & Young\nLLP of the assertion by the management of the GPO-CA regarding the certification authority\nservices it provides at http://www.gpo.gov/projects/pki.htm.\n\nManagement\xe2\x80\x99s assertions were based on the American Institute of Certified Public Accountants\n(AICPA)/Canadian Institute of Chartered Accountants WebTrust for Certification Authorities\ncriteria. GPO-CA\xe2\x80\x99s management was responsible for its assertion. Our responsibility was to\nexpress an opinion on management\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the\nAICPA and, accordingly, included examining, on a test basis, evidence about GPO\xe2\x80\x99s compliance\nwith those requirements and performing such other procedures as we considered necessary in\nthe circumstances. We believe that our examination provides a reasonable basis for our opinion.\nOur examination does not provide a legal determination on GPO-CA\xe2\x80\x99s compliance with specified\nrequirements.\n\nThe audit period for this examination was from July 1, 2010 through June 30, 2011. Our\nexamination was performed between April 21, 2011 and September 1, 2011.\n\nWe examined the Certificate Policy (CP) for the GPO-CA version 1.3.1, dated August 17, 2009,\nand the Certification Practices Statements (CPS) for the GPO Principal Certification Authority\n(GPO-PCA) version 1.7.1, dated June 3, 2011. Multiple Root CAs were not in operation at\nGPO-CA.\n\nOur examination included, through our testing of management\xe2\x80\x99s assertion, the evaluation of\nGPO-CA\xe2\x80\x99s operations for conformance to the requirements of its CPS and the evaluation of\nGPO-CA\xe2\x80\x99s operations for conformance to the requirements of all current cross-certification\nMemorandum of Agreements (MOAs) executed by the GPO-CA with other entities. In our\nReport of Independent Accountants dated September 7, 2011, we reported that\nmanagement\xe2\x80\x99s assertion was fairly stated in all material respects.\n\n\n\n\n                                                                                                                    4\n                                                                    A member firm of Ernst & Young Global Limited\n\x0cWe have compared the CPS for the GPO-PCA version 1.7.1, dated June 3, 2011, for\nconformance to the CP for the GPO-CA version 1.3.1, dated August 17, 2009. We found, in all\nmaterial respects, that the GPO-PCA CPS is in conformance with GPO-CA CP.\n\nWe have compared the CPS for the GPO-PCA version 1.7.1, dated June 3, 2011 for conformance\nto the FPKI Common Policy. For this analysis we utilized the Framework Certification Practice\nStatement Evaluation Mapping Matrix, Version 2.8 (September 22, 2010). We found, in all\nmaterial respects, that the GPO-PCA CPS is in conformance with the requirements of the FPKI\nCommon Policy.\n\nWe are independent of the GPO for the professional engagement period as required by the AICPA\nProfessional Standards.\n\n\n\n\ney\n\n\n\n\n                                                                                                                   5\n                                                                   A member firm of Ernst & Young Global Limited\n\x0c                                                                       Ernst & Young LLP\n                                                                       Westpark Corporate Center\n                                                                       8484 Westpark Drive\n                                                                       McLean, VA 22102\n                                                                       Tel: + 1 703 747 1000\n                                                                       Fax: +1 703 747 0100\n                                                                       www.ey.com\n\n\n                                                                       September 7, 2011\n\n\n\n\nSummary of matters related to project personnel provided by Ernst & Young LLP\n\nTo the Inspector General of the United States Government Printing Office and the Management of\nthe United States Government Printing Office Certification Authority (GPO-CA):\n\nThe GPO Office of Inspector General (OIG) has asked Ernst & Young LLP (EY or we) to provide\ncertain information to assist in its efforts to provide the Federal Public Key Infrastructure Policy\nAuthority (FPKIPA) with information about the individuals who performed work as part of the\nWebTrust for Certification Authority (WTCA) examination services; these services are performed\nin accordance with relevant American Institute of Certified Public Accountants (AICPA) standards.\nThe FPKIPA sets policy governing operation of the U.S. Federal PKI Infrastructure, composed of:\nthe Federal Bridge Certification Authority (FBCA); the Federal Common Policy Framework\nCertification Authority (CPFCA); the Citizen and Commerce Class Common Certification Authority\n(C4CA) and the E-Governance Certification Authority. EY makes no representation regarding the\nsufficiency of this information for the purposes for which this information was requested. That\nresponsibility rests solely with the FPKIPA.\n\nEducational level and professional experience\n\nClient serving personnel (Professionals) EY has provided to the Agency have received a degree\nfrom an accredited college or university (or its equivalent if the individual was educated outside of\nthe United States). Certain individuals may also have advanced degrees. The majority of\nProfessionals provided to the Agency are part of EY\xe2\x80\x99s Advisory Services (AS) service line. AS\nfocuses its recruiting efforts on candidates with information technology, accounting, finance and\nother business-related degrees. Hiring activities and types of Professionals hired into each EY\nservice line, including Assurance and Tax, are generally the same as similar service lines and\npersonnel of Deloitte & Touche, PricewaterhouseCoopers and KPMG (who along with EY, are the\nBig Four).\n\nThe experience levels of Professionals provided will vary based upon various factors including age\nand length of time the individual has worked since receiving their degree. The amount of\nprofessional experience of Professionals may not solely be related to a person\xe2\x80\x99s employment\nperiod with EY, as EY normally hires a combination of experienced Professionals and\nProfessionals who recently graduated from a college or university. In most cases, the experience\nlevel within a rank classification of EY Professionals is generally the same as the other Big Four.\n\n\n\n\n                                                                                                                       6\n                                                                       A member firm of Ernst & Young Global Limited\n\x0cMethodologies, policies and procedures\n\nEY Professionals carrying out WTCA examinations are required to comply with policies and\nprocedures within the EY Advisory Global Practice Manual and related methodologies. In those\ncases where we do not perform work directly under the supervision and responsibility of Agency\npersonnel as part of an engagement to provide loan staff, and we provide management with our\nfindings and recommendations in those areas where we observe internal controls that, in our\nview, could be improved, the Advisory Global Practice Manual requires the work and any reports\nor deliverables to be in accordance with the Statement on Standards for Consulting Services\n(CS100) of the AICPA. The initial adoption of, and any subsequent changes in, policies and\nprocedures have been reviewed and approved by EY\xe2\x80\x99s Professional Practice group.\n\nProfessional certification and continuing education\n\nEY encourages its Professionals to obtain a professional certification. In certain service lines,\nobtaining a professional certification is a requirement for promotion. Individuals in AS are\nencouraged to obtain a professional certification, but it is not a requirement of employment or\nadvancement. AS\xe2\x80\x99 more experienced Professionals (which we refer to as managers, senior\nmanagers, executive directors, principals or partners) usually have a professional certification\nand some may have more than one certification. In the AS service line, the most common\ncertifications are Certified Public Accountant (CPA) (or its equivalent in other countries), Certified\nInternal Auditor (CIA) as recognized by the Institute of Internal Auditors, Certified Information\nSystems Auditor (CISA) as recognized by the Information Systems Audit and Control Association,\nor Certified Management Accountant (CMA) as recognized by the Institute of Management\nAccountants.\n\nThe continuing professional education requirements of the SEC (Securities and Exchange\nCommission) Practice Section of the AICPA Division for CPA firms are the foundation of EY\xe2\x80\x99s\nprofessional development policy. The policy applies to all professionals and Government\nAccountability Office (GAO) Guidance, as confirmed in consultation with GAO personnel, suggests\nthat staff and those individuals not managing an engagement subject to Government Auditing\nStandards (GAS) may generally satisfy the Government Auditing Standards (Yellow Book) 24 hour\nCPE requirement through completion of the firm\xe2\x80\x99s core training because significant portions of\ncore training content involve auditing under AICPA standards and AICPA standards are\nincorporated into GAS. As a subset of the 24 hour GAS requirement, our firm has a governmental\naudit continuing education policy that applies to each individual acting as partner in charge, the\nindependent reviewer, and each individual managing a governmental audit or attestation\nengagement. An individual\xe2\x80\x99s professional development principally occurs through formal learning\nand on-the-job training. Participation in formal education programs (including self-study\nprograms and meetings organized at least in part for educational purposes) is intended to\nsupplement on-the-job training and other learning activities.\n\n\n\n\n                                                                                                                        7\n                                                                        A member firm of Ernst & Young Global Limited\n\x0cParticipation in professional development programs is measured in units of continuing\nprofessional education (CPE) credit hours earned in our educational year. EY\xe2\x80\x99s educational year is\nJuly 1 through June 30. The EY policy for compliance is as follows:\n\n\xe2\x80\x93 Commencing with the first full educational year of employment, each professional must obtain\n  at least 20 CPE credit hours each year and at least 120 CPE credit hours during the most\n  recent three-year period.\n\n\xe2\x80\x93 Professionals who were not employed during the entire most recent educational year are not\n  required to earn continuing professional education credits in that year.\n\n\xe2\x80\x93 Professionals who were employed during the entire most recent educational year, but not\n  during the entire most recent two educational years, are required to have participated in at\n  least 20 hours of qualifying continuing professional education during the most recent\n  educational year.\n\n\xe2\x80\x93 Professionals who were employed during the entire most recent two educational years, but not\n  during the entire most recent three educational years, are required to have participated in at\n  least 20 hours of qualifying continuing professional education during each of the two most\n  recent educational years.\n\nProfessionals who hold a professional designation or certification other than the CPA certification\n(e.g., CIA, attorney at law, CISA, CMA) may be subject to continuing education requirements as\npart of that designation or certification. Completion of courses to meet these requirements may\nbe used to meet the firm\xe2\x80\x99s CPE requirements as long as the courses also meet the requirements\nof the AICPA\xe2\x80\x99s SEC Practice Section.\n\nExperience Auditing PKI Systems\n\nThe EY executive team assigned to the GPO project has experience in performing audits and\nimplementation of PKI systems and IT security. In addition, certain team members also have\nparticipated in a number of other commercial PKI and WebTrust for CA examinations both as a\nteam member and as a quality reviewer. We have incorporated consultations with other EY staff\nwho represent the firm on the AICPA WebTrust Task Force.\n\nWe are available if you need any additional information or would like to further discuss this\nmemorandum.\n\n\n\n\ney\n                                                                                                                       8\n                                                                       A member firm of Ernst & Young Global Limited\n\x0cSummary information for EY executives assigned to the engagement\n                                                                          In compliance with\n                                                              Years of      EY CPE policy\nName                         Rank        Certifications      experience        (Yes/No)\n                                         CA (Switzerland),\nWerner Lippuner         Principal                               22               Yes\n                                         CISA, CISM\n                        Executive\nJames Merrill                            CPA, CISA              29               Yes\n                        Director\n                                         CISSP, CPA, CISA,\nBruce Hamilton          Senior Manager                          30               Yes\n                                         CISM\nTimothy Iijima, Ph.D.   Senior Manager   PMP                    14               Yes\nStaci Angel             Manager          CISA                    7               Yes\n\n\n\n\n                                                                                       9\n\x0c                       Appendix. Report Distribution\n\nPublic Printer\nAssistant Public Printer, Operations\nChief of Staff\nChief Information Officer\nChief Technology Officer\nChief Information Security Officer\nQuality Assurance Director\n\x0c'